Just last week, the US FDA published the final version of its Data Integrity and Compliance with cGMP Guidance, which had been issued as a draft in April 2016 – listed in our post about Recent Changes in GMP Guidelines.

The final version of the guide maintains the same structure of questions and answers used in the draft version, and its scope includes finished pharmaceutical products manufacturers and PET (Positron Emission Tomography) drug manufacturers.

The main differences found between the draft and the final version of the guidance document are as follows:

• Change Control: The FDA has removed the sentence that included the concept ‘Why’ as part of the Audit Trail information. However, it still implicitly requires, as in the draft version, the reason for the change, as in the example provided includes the justification of the reprocessing.

• Backup: The FDA clarifies that its interpretation of the term backup is consistent with the term Archive used in the guidance “General Principles of Software Validation”. This backup must be “exact, complete, and secure from alteration, inadvertent erasures, or loss”.

• Invalidating Data: Whilst the general concept does not change, now the final guidance clearly requires that invalidated data should be included in the CGMP documentation, together with the justification its invalidatation.

• Conflict of Interests in administrators: The final guidance still requires that administrators of systems and instruments involved in the data lifecyle should not have conflict of interest with such data lifecycle . Small companies are no longer excluded from this requirement.

• Shared logins: FDA requires to have unique logins for all the users that can modify data. However, for those users accessing the systems for review or browsing data – but not modify – shared logins can be acceptable. This can be interpreted at the application level, but also at the operating system level, when the user has not privileges enabling him/her to alter data or software.

• Forms management: The requirement of keeping control of the forms and their reconciliation does not change. The final guidance remarks the former example of using bound paginated notebooks.

• Who should review Audit Trail records: This section is fully rewritten, but it still keeps the same interpretation than the draft guidance, establishing that Audit Trail records should be reviewed by the personnel responsible for record review.

• How often should Audit Trails be reviewed (new section): If data review frequency is set in CGMP, Audit Trail review should adhere to it (e.g.. manufacturing Audit Trail should be reviewed before releasing the batch). If not specified in CGMP then Risk Assessment should be used: evaluation of data criticality, control mechanisms and impact on product quality. Reliability of the review approach should be proven.

• Use of paper printouts instead of original electronic records: The general requirement of maintaining all features of dynamic data during its retention period is still valid; then, laboratory records should be reviewed by a second person -no changes here. However the guidance now describes an example related to the necessity of a reviewer in Petri plates counting.

• SST and laboratory data: Whilst already present in the draft, now the FDA clearly specifies that all data, including obvious errors, failing, passing and suspect data must be included in the CGMP records to be retained.

• Personnel: The personnel should be trained in preventing and detecting data integrity issues, not just detecting (as written in the draft guidance).

• Access to information: FDA specifies that all the data related to CGMP can be reviewed. This includes the communications between persons if they are related to a GMP subject, i.e: email authorising batch release.

• Addressing data integrity problems: Whilst this section is fully rewritten, the changes in contents are just a few; more details on the possible corrective actions are included. It still recommends retaining a third party auditor.



Globally, the final guidance does not provide significant changes to the draft. The most relevant thing is possibly that, whilst it talks about risk-based decisions, it is not so sharply risk management-focused as the final version of the MHRA guide is. The concepts are a ‘must’ (in fact part of the should of the draft have been changed to must); moreover, the concept of Data Integrity Risk Assessment (DIRA), essential in the MHRA Guidance, is not found in the FDA Guidance.